Skip to content


The cake function util_server_wireguard executes the Ansible role-wireguard-server, which installs and configures wireguard to be used as the employee VPN.

Simplified, the role-wireguard-server works as follows:

  • Install the wireguard apt packages
  • Generate a private and public key
  • Download the public key from all other servers
  • Template /etc/wireguard/mesh.conf, which contains the public IP and public key of all other servers


Key Value
Playbook path plays/baseline/wireguard-server.yml
Config file Description
/etc/wireguard/mesh.conf Wireguard configuration file for the server-to-server mesh network
/etc/wireguard/mesh.key Wireguard mesh private key
/etc/wireguard/ Wireguard mesh public key


Define a subnet for the wireguard mesh:


wireguard_server_subnet: ""

Define individual wireguard mesh IPs for each server:


cus-www-prod-db-1 nic_wg_mesh_ip= nic_pub_ip=

Adding new servers

Simply define the new servers in inventory/hosts and execute cake -f util_server_wireguard -i pub. Make sure to use --inventory pub as the wireguard mesh will restart during that play.


Common commands

Show wireguard status:

root@any-server ~ # wg show

interface: mesh
  public key: wireguard-public-key=
  private key: (hidden)
  listening port: 51819

peer: wireguard-public-key=
  allowed ips:
  latest handshake: 2 seconds ago
  transfer: 1.60 GiB received, 160.15 MiB sent

peer: wireguard-public-key=
  allowed ips:
  latest handshake: 11 seconds ago
  transfer: 1.50 GiB received, 122.50 MiB sent


Start / Stop wireguard:

systemctl stop wg-quick@mesh.service
systemctl start wg-quick@mesh.service
systemctl status wg-quick@mesh.service


Ping all servers via VPN - the Ping packages will be routed from your workstation via the employee VPN to gateway-1 or -2, then over the server-to-server mesh vpn from gateway-1 or -2 to your destination server:

CAKE master * cake -f debug_ping -i vpn
TASK [ping] ******************
ok: [cus-util-prod-log-1]
ok: [cus-util-prod-monitoring-1]
ok: [cus-util-prod-gitci-1]
ok: [cus-util-prod-deploy-1]
ok: [cus-www-prod-web-1]
ok: [cus-www-prod-myapp-1]

Ping server A from server B:

root@cus-util-prod-monitoring-1 ~ # host log
log has address

root@cus-util-prod-monitoring-1 ~ # ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=1.01 ms

Source of the following commands

Debug wireguard logs live:

echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
dmesg -wT | grep wireguard'
echo module wireguard -p > /sys/kernel/debug/dynamic_debug/control

Debug wireguard packages:

tcpdump -i any port 51819 udp


The two redundant gateways provide the following functionality:

  • Wireguard VPN for the employees to reach the servers (called employee wireguard VPN)
  • Wireguard VPN clients for the server-to-server VPN (called wireguard mesh)
  • Firewall for granting specific employees access to specific servers
  • dnscrypt-proxy DNS resolvers for the employee VPN as well as all servers

How to add a new employee to the wireguard VPN


How to configure the firewall to allow a specific employee access to specific servers


Security considerations

The wireguard servers (gateway-1 and -2) can not reach the employees via wireguard:

With shorewall, packages are rejected and logged:

root@cus-util-prod-gateway-1 ~ # ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted

Without shorewall, packages are dropped by wireguard:

root@cus-util-prod-gateway-1 ~ # shorewall clear
Clearing Shorewall....
Preparing iptables-restore input...
Running /sbin/iptables-restore --wait 60...
IPv4 Forwarding Enabled
root@cus-util-prod-gateway-1 ~ # ping
PING ( 56(84) bytes of data.

Wireguard clients (employees) can not reach each other.

Wireguard mesh servers (server-to-server wireguard, also called "mesh") can not reach employees.

The only possible connections are:

  • employees can reach their gateway (to establish a wireguard connection, or whatever is allowed by shorewall)
  • employees can reach servers in the wireguard mesh via gateway (if allowed by shorewall)
  • servers can reach each other over the wireguard mesh (if allowed by shorewall)